Hi @Sakthi

Welcome to the community !!!

I would not compromise on the design aspects even if its for a single consumer. I would design it with all the usual best practices and guidelines you would follow for any API.

I would secure the API by creating a Product with all these APIs with it. This Product can be very specific for that consumer. That consumer can then create different apps using that product, so that the apps can access via OAuth policies. The reason I say multiple apps is - your consumer can have different applications trying to access resources you expose like Web app, mobile apps, etc. You don't want to use the same app key secret for all those different user agents.

I have seen fews APIs where for such use cases, they send an additional custom header like X-Client-App-Id: abcd and if this is not passed, the proxy throws an error. This might be ok, but is not completely secure.

Not sure how the consumer will access your proxy, you can enable TLS between client and Apigee as well if possible, so that the security is further enhanced.

Again - APIs are built for consumers - tomorrow, if you decide to open it up for other consumers, then having this Product catalog helps you open it up and track as well.

I know I got into the implementation aspect here and your question is around Design. Repeating myself - you don't have to change design principles for such use case but get the solution you want by extending Security features that is already built within Apigee Edge

Hope this clarifies